CIS CSC #6 – Maintenance, Monitoring and Analysis of Audit Logs

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

This control includes eight (8) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there is one (1) IG1 controls and seven (7) IG2 controls. This means that, at a minimum, we want to:

Ensure that local logging has been enabled on all systems and networking devices.

Another control that is easier said then done. The good news here, is that most enterprise environments are using Active Directory to manage the Windows servers and workstations. This makes enabling local log collection easier, as a GPO can be pushed out to enable logging and store logs locally. Make sure this GPO includes overwriting as needed, or else you will stop collecting logs once the defined storage space has been filled. This TechNet article provides some good recommendations for defining an Audit Policy practice.

With Windows devices out of the way, we’ll need to start chasing down everything else. This includes our routers, firewalls, switches, IoT devices, really any device that is connected to your network should have logging enabled. You’ll want to identify and track any devices that do not have any logging capability, as there is a risk in that device being a blind spot for this control. As the environment matures, there may be mitigating controls available, such as logging and monitoring the network traffic to and from those devices.

Each device will have it’s own logging scope and format. This may only be available through the admin interfaces, either web-based or through the command line interface. Any vendor documentation or manuals will be a great resource for you here.

In lieu of an example command, below is an introduction the the Elastic Stack, which is a great tool for collecting and analyzing event logs from all over your network in a single place.